That's right, it's easier to setup such MiTM using an intermediate server, because only getting the private key of the certificate won't get you the user's traffic due to PFS.

You either need to disable PFS on the server, or export TLS master keys for each session in some way, or MiTM.